b'           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n    GENERAL CONTROLS REVIEW\n      OF THE FLORIDA DIVISION\n   OF DISABILITY DETERMINATIONS\n    CLAIMS PROCESSING SYSTEM\n\n  January 2007       A-14-06-16023\n\n\n\n\n AUDIT REPORT\n\n\n\n\n                 .\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                          SOCIAL SECURITY\nMEMORANDUM\n\nDate:      January 10, 2007                                                            Refer To:\n\nTo:        Paul D. Barnes\n           Regional Commissioner\n            Atlanta\n\nFrom:      Inspector General\n\nSubject:   General Controls Review of the Florida Division of Disability Determinations Claims\n           Processing System (A-14-06-16023)\n\n\n           OBJECTIVE\n           Our objective was to assess the general controls environment of the Florida Division of\n           Disability Determinations (FL-DDD) claims processing system.\n\n           BACKGROUND\n           The Disability Insurance program provides benefits to wage earners and their families in\n           the event the wage earner becomes disabled. The Supplemental Security Income\n           program is a Federal income supplement program designed to help aged, blind, and/or\n           disabled people who have little or no income. The Social Security Administration (SSA)\n           implements the policies governing the development of disability claims under each\n           program. Disability determinations under both programs are performed by an agency in\n           each State or other responsible jurisdiction according to Federal regulations. 1 In\n           carrying out its obligations, each responsible agency determines claimants\xe2\x80\x99 disabilities\n           and ensures there is adequate evidence available to support its determinations.\n\n           Disability Determination Services\xe2\x80\x99 (DDS) personnel have access to extremely valuable\n           and sensitive SSA data, such as Social Security numbers (SSN), medical information,\n           and related disability claims data. Sensitive SSA data, 2 processed and stored by each\n           DDS, should be protected from inappropriate or unauthorized access, use, and\n           disclosure. DDSs have a responsibility to safeguard sensitive SSA data entrusted to\n           them and to safeguard SSA\xe2\x80\x99s and DDS\xe2\x80\x99 systems accessed and used to process that\n           data.\n\n\n           1\n            20 C.F.R., part 404, subpart Q, and part 416, subpart J.\n           2\n            Sensitive data downloaded from SSA to the DDS claims processing system include claimant SSN,\n           name, address, phone number and date of birth.\n\x0cPage 2 - The Commissioner\n\nDDSs use a variety of hardware and software platforms to store, process, and protect\nsensitive SSA data. FL-DDD disability claims are processed on an IBM iSeries\ncomputer system (IBM computer) using I. Levy & Associates (iLevy), Inc. software.\n\nThe DDSs are expected to provide a control environment that meets SSA\xe2\x80\x99s minimum\nsecurity requirements. SSA\xe2\x80\x99s security requirements for DDSs are found in its Program\nOperations Manual System (POMS). 3 The POMS provides SSA privacy and security\nprogram standards and guidelines, which apply to the DDS environment. SSA has also\ndistributed Risk Models 4 to the DDSs to establish security settings for the various\nhardware platforms to help ensure the security of SSA data stored and processed on\nthe DDS enterprise.\n\nThe FL-DDD maintains operations in six locations\xe2\x80\x94Jacksonville, Miami, Orlando,\nPensacola, Tallahassee and Tampa\xe2\x80\x94and is a component of Florida\xe2\x80\x99s Department of\nHealth. The IBM computer used by the FL-DDD to process claims is physically located\nat the Tallahassee location in the Ashley Building. Therefore, our physical security\nreview was limited to the Ashley Building.\n\nRESULTS OF REVIEW\nWe reviewed the general controls environment of the FL-DDD claims processing\nsystem and found it was generally in compliance with SSA standards. We found five\nphysical security and four systems security-related issues that needed to be addressed\nto help ensure that SSA data stored and processed at the FL-DDD is secure. However,\nthese issues do not rise to the level of impacting our overall conclusion.\n\nWe held an exit conference with the FL-DDD management as well as staff from the\nAtlanta Regional Office and SSA Headquarters to explain our findings and\nrecommendations. The FL-DDD subsequently has addressed most of our findings.\nAlthough we did not independently review the newly implemented recommendations,\nwe commend the FL-DDD on its efforts to help improve security.\n\nPHYSICAL SECURITY ISSUES\n\nTerminated and Transferred Employees Remained in the Physical Security\nAccess Control System\n\nWe found six FL-DDD employees who had either been terminated or transferred during\nFiscal Year (FY) 2006; however, active accounts for these employees still remained in\nthe physical security access control system for the Ashley Building. Employees gain\nentry to the Ashley Building and interior passageways with an electronic key that is\nprogrammed with the employees\xe2\x80\x99 access requirements based upon their job duties. If\n3\n    POMS, Section DI 39566, DDS Privacy and Security.\n4\n The Risk Model that was followed by the FL-DDD at the time of our review was the iSeries Security\nSettings and Control Model (commonly known as the iSeries Risk Model), October 2005.\n\x0cPage 3 - The Commissioner\n\nan unauthorized individual has possession of one of these electronic keys and the\naccount is still active in the physical security access control system, then that individual\nwill have access to the building and interior passageways assigned to that key. SSA\npolicy 5 states that office keys should be restricted to those individuals who are required\nto have them.\n\nThe physical security officer is responsible for administering physical access at the\nAshley Building. However, there was no formal process to notify the physical security\nofficer when an employee is terminated or transfers to another FL-DDD location.\nSystems access is removed via an automated request initiated by the employee\xe2\x80\x99s\nmanager and is routed to the FL-DDD\xe2\x80\x99s systems Help Desk. The FL-DDD also uses an\nemployee exit checklist whenever employees separate from or transfer to another\nlocation within the FL-DDD. This checklist details the items that the manager must\ncollect prior to the employee\xe2\x80\x99s final day of work, such as access cards, building keys,\nand parking passes.\n\nWe recommended during our site visit that the automated Help Desk ticket and exit\nchecklist processes be revised to incorporate the physical security officer so physical\naccess will be removed for terminations and transfers to other FL-DDD locations. The\nFL-DDD stated that several processes have been implemented since our site visit to\nensure the physical security officer is notified when an employee is being terminated or\ntransferred. These processes are:\n\n      \xe2\x80\xa2   The supervisor of an employee who is terminating or transferring to another\n          location must notify the Ashley Building\xe2\x80\x99s physical security officer via email with\n          the employee\xe2\x80\x99s name, access code number, and level of access.\n      \xe2\x80\xa2   The physical security officer receives a weekly listing from the Human Resources\n          (HR) Department of all employees who have separated from the FL-DDD.\n      \xe2\x80\xa2   The employee exit checklist has been amended to include the physical security\n          officer for the receipt of access cards, building keys, and parking passes.\n\nThe FL-DDD stated it will explore the feasibility of an automated procedure to notify the\nphysical security officer of employee terminations and transfers as we had\nrecommended. We encourage the FL-DDD to pursue implementing this automated\nprocess.\n\nEmployee Exit Checklists Were Not on File\n\nEmployee exit checklists for 27 of 75 terminated employees and 12 of 14 employees\nwho transferred to other locations within the FL-DDD were not on file with the FL-DDD\nHR Department. Of the 50 exit checklists that were on file, 33 were not fully completed.\nIncomplete or missing checklists do not ensure that all FL-DDD property issued to\nterminated or transferred employees has been returned prior to their departure. SSA\n\n5\n    POMS, Section DI 39566.010 B.6.a., DDS Physical Security.\n\x0cPage 4 - The Commissioner\n\npolicy 6 states that personnel should turn in identification cards and all Agency property\nand that a copy of the completed checklist be maintained in the employee\xe2\x80\x99s personnel\nfolder.\n\nThe checklist used by the FL-DDD directs the local offices to ensure that all fields on the\nform are addressed and that the completed checklist must be submitted to HR. We\nrecommended at the exit conference that the FL-DDD issue a reminder to its field\nsupervisors to ensure that all fields in the checklists are addressed and that completed\nexit checklists are submitted to the FL-DDD HR Department.\n\nThe FL-DDD stated that a process has now been implemented to ensure that exit\nchecklists are completed and submitted to HR. Upon notification to HR that an\nemployee is separating from or transferring to another location within the FL-DDD, the\nsupervisor is sent the checklist and instructed to complete and submit the checklist to\nHR. The HR Department now monitors this process to ensure that checklists are\ncompleted and submitted by the supervisors. We commend the FL-DDD for its prompt\naction to correct this issue.\n\nExcessive Personnel Had Access to the Computer Room\n\nWe found 5 out of the 31 employees who had been granted unescorted access to the\nAshley Building\xe2\x80\x99s computer room had job duties not requiring them to have this access.\nThese employees included administrative personnel, accounting personnel, and non-\nsystems managers. This unescorted access would allow an employee, whether\nmaliciously or accidentally, to damage FL-DDD equipment and data without FL-DDD\nsystems or management staff\xe2\x80\x99s knowledge. SSA\xe2\x80\x99s POMS 7 states that access to the\ncomputer room should be restricted by management or authorized personnel. The\nGovernment Accountability Office\xe2\x80\x99s (GAO) Federal Information Systems Controls Audit\nManual (FISCAM)8 also recommends that access to an entity\xe2\x80\x99s computer room facilities\nand equipment should be limited to employees whose job duties and responsibilities\nrequire this access.\n\nThe physical security access codes that provide access to the Ashley Building\xe2\x80\x99s\nsystems area office space also provides unescorted access to the computer room\nwhere the IBM computer is housed. While it may be necessary for some non-systems\nemployees to have access to the systems area office space to meet with systems staff\nor to conduct other business, these employees should not have unescorted access to\nthe computer room. We recommended at the exit conference the FL-DDD set up a\nseparate access code for the computer room in its physical security access control\nsystem and that the systems area access of these employees be removed until\nseparate access codes are in place for the systems office area and the computer room.\n\n6\n    POMS, Section DI 39566.010 B.6.h., DDS Physical Security.\n7\n    POMS, Section DI 39566.010 B.2.l., DDS Physical Security.\n8\n    GAO FISCAM, January 1999, pages 46-47.\n\x0cPage 5 - The Commissioner\n\nThe FL-DDD agreed with our recommendation. A separate access code has been\nimplemented for non-systems employees that provides access to the systems office\nspace but does not allow unescorted access to the computer room. Only employees\nwhose job duties require unescorted access to the computer room have access now.\nWe commend the FL-DDD for its prompt action to correct this issue.\n\nComputer Room Housing the IBM Computer Did Not Have an Environmental\nAlarm System\n\nThe computer room in the Ashley Building, where the IBM computer is housed, did not\nhave an environmental alarm system. Environmental controls can diminish the losses\nfrom some interruptions, such as fires or prevent incidents by detecting potential\nproblems early, such as water leaks or smoke, so that they can be remedied. 9 SSA\npolicy 10 states that an environmental controls alarm system should be installed in DDS\ncomputer rooms.\n\nThe FL-DDD stated that it has determined its computer room environmental alarm\nneeds and has requested funding from SSA. We recommend the FL-DDD continue to\npursue the installation of an environmental control alarm system to prevent or mitigate\ndamage within the computer room and interruptions in service.\n\nPhysical Security Weaknesses That Were Related to Door Construction\n\nThere were two doors with rising hinge pins on the ground level of the Ashley Building\nthat lead from the public lobby (between 6 a.m. and 7 p.m.) into FL-DDD office space.\nRising hinge pins can be tampered with and the door removed off of its frame. Also, the\ndoor leading into the systems office area did not have a peephole. Individuals ring a\ndoorbell and verbally identify themselves to gain access to the systems office area.\n\nSSA policy 11 states that perimeter doors should have non-rising hinge pins to prevent\ntampering with the hinges and should have peepholes if visibility is restricted. We\nrecommended at the exit conference the FL-DDD install non-rising hinge pins or secure\nthe existing hinges in a manner as to prevent the doors from being removed from their\nhinges. We also recommended a peephole be installed in the systems area office\nentrance door, so individuals without access to the area can be visually identified before\nbeing allowed to enter.\n\nThe FL-DDD agreed with our recommendations and stated that non-rising hinge pins\nhave been installed on the two perimeter doors leading into its office space. The\nFL-DDD also stated a peephole has been installed in the systems area office entrance\ndoor. We commend the FL-DDD for its prompt action to correct these issues.\n\n9\n    GAO FISCAM, January 1999, page 128.\n10\n     POMS, Section DI 39566.010 B.2.m., DDS Physical Security.\n11\n     POMS, Section DI 39566.010 B.1.d. and 39566.010 B.1.e., DDS Physical Security.\n\x0cPage 6 - The Commissioner\n\nSYSTEMS SECURITY ISSUES\n\nTerminated Employees Still Had Enabled IBM Computer or Local Area Network\nProfiles\n\nTwo employees who were terminated during the current FY still had enabled IBM\ncomputer profiles at the time of our fieldwork. Also, another terminated employee had\nan enabled Windows local area network profile. Individuals whose profiles are enabled\nhave the ability to sign-on to the system.\n\nSSA provides the DDSs with the IBM computer Settings and Controls model (Risk\nModel) as a template for installation and management of the IBM computer platform.\nThis document lists the required settings along with a risk description and underlying\npolicy. The Risk Model states that accounts should be disabled immediately upon an\nemployee\xe2\x80\x99s separation from duty. 12\n\nThe process for disabling systems access for terminated employees at the FL-DDD is\ninitiated by an automated Help Desk ticket request submitted by the employee\xe2\x80\x99s\nmanager. If a Help Desk ticket request is not submitted, the terminated employee\xe2\x80\x99s\naccount will remain enabled. Since our site visit, the FL-DDD issued a reminder to its\narea managers and bureau chiefs to follow the proper procedures for disabling\nterminated employees\xe2\x80\x99 systems access. We commend the FL-DDD for its prompt\naction to correct this issue.\n\nAccounts Inactive for Over 30 Days Were Not Disabled\n\nThere were 24 user profiles not disabled after more than 30 days since their last date of\naccess on the IBM computer. Also, there were six user profiles that had never signed\nonto the IBM computer for more than 30 days since the creation of the profiles and\nthese profiles were not disabled. Inactive profiles increase the risk of inappropriate\nactivity by unauthorized users. The risk of inappropriate activity is greater for profiles\nthat have never signed onto the IBM computer because the FL-DDD uses a generic\nnaming convention for its IBM computer profiles and a default password for initial\nsign-on.\n\nSSA policy 13 states that accounts should be reviewed on a periodic basis and disabled\nafter 30 days of inactivity. The FL-DDD agreed with our finding and stated a system job\nnow runs weekly and disables profiles that have not signed onto the IBM computer in\nover 30 days or have not signed-on within 30 days of creation of the profile. We\ncommend the FL-DDD on its prompt action to correct this issue.\n\n\n\n\n12\n     SSA\xe2\x80\x99s iSeries Security Settings and Control Model, October 2005, page 13.\n13\n     SSA\xe2\x80\x99s iSeries Security Settings and Control Model, October 2005, page 13.\n\x0cPage 7 - The Commissioner\n\nIBM-Supplied Profile Not Configured in Accordance With Risk Model\n\nWe found an IBM-supplied profile on the IBM computer that was not configured in\naccordance with the SSA Risk Model. The IBM-supplied profile \xe2\x80\x9cQPGMR:\xe2\x80\x9d\n\n       \xe2\x80\xa2   was used as a group profile for the FL-DDD programmers and batch users,\n       \xe2\x80\xa2   was allowed to sign-on to the IBM computer, and\n       \xe2\x80\xa2   had special authorities14 assigned to it.\n\nThe SSA Risk Model 15 states that the QPGMR profile should not be used as a group\nprofile and should not be allowed to sign onto the IBM computer. This ensures that\nindividuals cannot sign onto the system under the group profile and perform activity that\nwould not be attributable to those persons if they had signed onto the system under\ntheir individual user profile. The FL-DDD agreed with our finding and stated that the\nQPGMR profile can no longer sign onto the IBM computer. The FL-DDD is also\ncoordinating with IBM and iLevy to develop a solution to no longer use QPGMR as a\ngroup profile.\n\nThe Risk Model16 also states that the QPGMR should not have any special authorities\nassigned to it. However, the QPGMR profile is shipped from IBM with special\nauthorities and IBM\xe2\x80\x99s Security Reference Manual for the IBM computer 17 cautions that\nremoving special authorities from IBM-supplied profiles may cause system functions to\nfail. The FL-DDD has expressed concern that removing these special authorities may\nimpact its production environment.\n\nWe recommend the FL-DDD continue to develop a solution enabling it to stop using the\nQPGMR profile as a group profile for the FL-DDD programmers and batch users. We\nalso recommend the FL-DDD work with SSA to determine whether the special\nauthorities can be removed from the QPGMR profile or whether the Risk Model requires\nrevision.\n\n\n\n\n14\n     Special authorities are used to specify the types of actions a user can perform on system resources.\n15\n     SSA\xe2\x80\x99s iSeries Security Settings and Control Model, October 2005, page 9.\n16\n     Id.\n17\n  IBM, iSeries Security Reference Version 5 (SC41-5302-08), August 2005, page 271. The Security\nReference Manual provides information about planning, setting up, managing, and auditing security on\nthe iSeries system.\n\x0cPage 8 - The Commissioner\n\nRestricted-Use Profiles Can Sign Onto the System\n\nSix restricted-use profiles, which are vendor profiles and application group profiles, can\nsign onto the system in violation of SSA policy. SSA\xe2\x80\x99s Risk Model18 states that these\nrestricted-use profiles should not have the authority to sign onto the system. Profiles\nthat are shared by groups or have widely known access rights and policies are subject\nto abuse and do not allow for accountability to a specific individual\xe2\x80\x99s actions.\n\nWe discussed this issue with the FL-DDD management at the exit conference\nconducted with staff from the Atlanta Regional Office and SSA Headquarters. These\nrestricted-use profiles pertain to functions associated with the FL-DDD\xe2\x80\x99s iLevy software.\nPer consultations with iLevy, and by experimentation performed by the FL-DDD in its\ntest environment, a determination has been reached that these restricted-use profiles\nmust have the ability to sign onto the IBM computer. Restricting this ability would cause\nsystem functions to fail and impact production. The FL-DDD has shared these\nconcerns with SSA and has decided not to change the restricted-use profile settings at\nthis time.\n\nThe FL-DDD has worked with SSA and the Office of the Inspector General (OIG) to\nimplement alternative security settings for these profiles. These security settings would\noffer an acceptable compensating control for being unable to prevent these profiles from\nsigning on to the IBM computer as currently mandated by the SSA Risk Model. We\nrecommend the FL-DDD continue to work with SSA to determine whether the Risk\nModel should be revised to reflect the production needs of the DDSs.\n\nCONCLUSION AND RECOMMENDATIONS\nWe found the general controls environment for the claims processing system at the\nFL-DDD to be generally effective and in compliance with SSA policy. However, we\nidentified physical and systems security areas where the FL-DDD could improve upon\nits protection of sensitive SSA data. We recommend the FL-DDD:\n\n1. Pursue implementing an automated process to notify the physical security officer of\n   employee terminations and transfers.\n\n2. Continue to pursue the installation of an environmental control alarm system to\n   prevent or mitigate damage within the computer room and interruptions in service.\n\n3. Continue to develop a solution that enables termination of the QPGMR profile as a\n   group profile for its programmers and batch users.\n\n\n\n\n18\n     SSA\xe2\x80\x99s iSeries Security Settings and Control Model, October 2005, page 14.\n\x0cPage 9 - The Commissioner\n\n4. Continue to work with SSA to determine whether the special authorities can be\n   removed from the QPGMR profile or whether the Risk Model requires revision.\n\n5. Continue to work with SSA to determine whether the Risk Model needs revision to\n   reflect the production needs of the DDSs.\n\nAGENCY COMMENTS AND OIG RESPONSE\nThe Regional Commissioner essentially concurred with all five recommendations.\nInitially, the Regional Commissioner questioned the costs associated with\nrecommendation 2 (see Appendix C). After further clarifying our position, the Regional\nCommissioner revised the comments and agreed to our second recommendation (see\nAppendix D).\n\nFor recommendation 4, the OIG asked that the Regional Commissioner to either modify\nthe QPGMR profile or revise the Risk Model. The Regional Commissioner agreed to\nrevise the Risk Model.\n\n\n\n\n                                           Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 Agency Comments\nAPPENDIX D \xe2\x80\x93 Agency Comments - Revised\nAPPENDIX E \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                                Appendix A\n\nAcronyms\nC.F.R.       Code of Federal Regulations\nDDS          Disability Determination Services\nFISCAM       Federal Information System Controls Audit Manual\nFL-DDD       Florida Division of Disability Determinations\nFY           Fiscal Year\nGAO          Government Accountability Office\nHR           Human Resources\niLevy        I. Levy & Associates, Inc.\nOIG          Office of the Inspector General\nPOMS         Program Operations Manual System\nRisk Model   iSeries Settings and Controls Model\nSSA          Social Security Administration\nSSN          Social Security Number\n\x0c                                                                             Appendix B\n\nScope and Methodology\nOur objective was to assess the general controls environment of the Florida Division of\nDisability Determinations (FL-DDD) claims processing system.\n\nAccording to the Government Accountability Office (GAO), 1 general controls apply to all\ninformation systems\xe2\x80\x94mainframe, minicomputer, network, and end-user environments.\nThese controls include (1) entity-wide security program planning, management, [and]\ncontrol over data center operations, (2) system software acquisition and maintenance,\n(3) access security, and (4) application system development and maintenance.\n\nOur audit of the FL-DDD general controls consisted of (1) entity-wide security\nprogram planning, management and control over data center operations to\ninclude service continuity and environmental controls and (2) access security to\ninclude physical and system security. We did not review the FL-DDD system\nsoftware acquisition and maintenance or application system development and\nmaintenance.\n\nTo accomplish our objective, we:\n\n\xe2\x80\xa2   Reviewed the Social Security Administration\xe2\x80\x99s (SSA) security requirements sent to\n    the Disability Determination Services, which included the Program Operations\n    Manual System and the IBM iSeries computer system Security Settings and Control\n    Model.\n\xe2\x80\xa2   Interviewed pertinent FL-DDD managers and personnel.\n\xe2\x80\xa2   Reviewed applicable guidance pertaining to the evaluation of general controls over\n    computer-processed data from agency program information systems.\n\xe2\x80\xa2   Reviewed prior Office of the Inspector General reports and the\n    PricewaterhouseCoopers LLP Fiscal Year 2005 Management Letter containing\n    information relative to our objective.\n\xe2\x80\xa2   Obtained an understanding of the FL-DDD\xe2\x80\x99s general controls environment for its\n    claims processing system and tested certain controls to determine whether they\n    were effective and operating as intended.\n\nWe performed our field work at SSA Headquarters and at the FL-DDD Administrative\nOffice in Tallahassee, Florida between March and May 2006. We conducted our review\nin accordance with generally accepted government auditing standards.\n\n\n1\n GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1, November 1999,\npage 16.\n\x0c                  Appendix C\n\nAgency Comments\n\x0c                                  SOCIAL SECURITY\n                                                     Refer To: K. Killam 2-5727\n\n\nMEMORANDUM\n\nDate:      November 28, 2006\n\nTo:        Inspector General\n\nFrom:      Regional Commissioner\n           Atlanta\n\nSubject: General Controls Review of the Florida Division of Disability\n         Determinations Claims Processing System (A-14-06-16023)\n\nThank you for the opportunity to comment on the validity of the facts and\nreasonableness of the recommendations presented in your draft audit report of the\nFlorida Division of Disability Determinations (FL DDD). We believe that the OIG Audit,\nregarding the general controls environment of the FL DDD claims processing system,\nwas detailed and thorough.\n\nOur response to the five recommendations is as follows:\n\n1. Recommendation: Pursue implementing an automated process to notify the\n   physical security officer of employee terminations and transfers.\n\n      We agree with this recommendation. The OIG auditors found five physical security\n      and four systems security-related issues that needed to be addressed within the FL\n      DDD. The auditors recommended during their site visit that the automated Help\n      Desk ticket and exit checklist processes be revised to incorporate the physical\n      security officer. On April 21, 2006, the FL DDD implemented a change in procedure.\n      The security liaisons for area offices are now notifying the Physical Security\n      Coordinator of the name(s) and key number(s) of employees when they leave the FL\n      DDD. The Physical Security Coordinator then updates the Master List of key\n      holders. Therefore, physical access will be removed for all terminations and\n      transfers to other FL DDD locations. Issue resolved and no further action is\n      necessary.\n\n2. Recommendation: Continue to pursue the installation of an environmental\n   control alarm system to prevent or mitigate damage within the computer room\n   and interruptions in service.\n\n\n\n\n                                           C-1\n\x0c  We do not agree with this recommendation. The auditors site our POMS DI\n  39566.010.B2 as the policy requirement for the installation of environmental\n  controls in the computer rooms. The POMS policy states that this is a\n  discretionary standard. The reference reads as follows: \xe2\x80\x9cWe encourage DDS\n  management to use the discretionary procedures to ensure ongoing security\n  of data, personnel, and property. The DDS should consider, based on a risk\n  assessment of their facilities (location, crime rate, current security level, etc.),\n  whether some or all of the discretionary measures should be included in their\n  security program. If a DDS is unable to meet a guideline for physical security,\n  a risk assessment plan should be prepared.\xe2\x80\x9d Based on the DDSs assessment\n  of their security needs, SSA evaluates the value of funding these types of\n  requests. SSA has determined that the cost of fire suppression systems far\n  exceeds the value of the equipment and will not be funding the installation of\n  environmental controls in the Florida DDD. Therefore, issue resolved and no\n  further action is necessary.\n\n3. Recommendation: Continue to develop a solution that enables termination of\n   the QPGMR profile as a group profile for its programmers and batch users.\n\n   We agree with this recommendation. The SSA Risk Model states that the QPGMR\n   profile should not be used as a group profile and should not be allowed to sign onto\n   IBM computers. The FL DDD agreed that individuals should not be able to sign onto\n   the system under the group profile and perform activity that is not appropriate.\n   Accordingly, the DDD began working with the iSeries Focus Group and SSA\n   personnel in Central Office to resolve this issue with QPGMR. As a result, the\n   QPGMR profile is disabled and initial program set to None for the FL DDD iSeries.\n   Therefore, users cannot log on to the FL DDS iSeries using QPGMR. Issue\n   resolved and no further action is necessary.\n\n4. Recommendation: Continue to work with SSA to determine whether the\n   special authorities can be removed from the QPGMR profile or whether the\n   Risk Model requires revision.\n\n   We do not agree with the recommendation of removing the special authorities from\n   the QPGMR profile, but believe that the Risk Model should be revised. The Risk\n   Model states that the QPGMR should not have any special authorities assigned to it.\n   The FL DDD was concerned, however, that removing special authorities might\n   impact their production environment. Since the initial findings by the auditors, SSA\n   personnel in Central Office have revised the Risk Model. The Risk Model now\n   indicates that QPGMR is shipped by IBM with special authorities and that they\n   should not inherently indicate a security issue. Therefore, all DDSs (including the FL\n   DDD) can continue to utilize the QPGMR profile as needed by the application\n   vendors (i.e. Levy, Versa and Midas), but should not add any additional special\n   authorities to the QPGMR profile that are not already present. The FL DDD and\n   SSA will continue to take care that QPGMR profile is utilized correctly.\n\n\n\n\n                                            C-2\n\x0c5. Continue to work with SSA to determine whether the Risk Model needs\n   revision to reflect the production needs of the FL DDD.\n\n   We agree with this recommendation. Auditors found six restricted-use profiles,\n   which are vendor profiles and application group profiles that could sign onto the\n   system in violation SSA policy. SSA\xe2\x80\x99s Risk Model states that these restricted-use\n   profiles should not have the authority to sign onto the system. Profiles that are\n   shared by groups or have widely known access rights and policies are subject to\n   abuse and do not allow for accountability to a specific individual\xe2\x80\x99s actions. Therefore,\n   FL DDD has reminded area managers and bureau chiefs to follow procedures for\n   disabling employee\xe2\x80\x99s systems access (as outlined above). The FL DDD and SSA\n   will continue to monitor these procedures to ensure compliance by area manages\n   and bureau chiefs. The Quarterly Security review of all systems access accounts\n   will ensure any deficiency is found and corrected.\n\nYour staff may direct questions to Josie Irwin at (404) 562-1407 or Karen Killam at (404)\n562-5727.\n\n\n\n                        Paul D. Barnes\n\ncc: James McHargue\n    Paul Buehler\n    Josie Irwin\n\n\n\n\n                                           C-3\n\x0c                            Appendix D\n\nAgency Comments - Revised\n\x0c                                SOCIAL SECURITY\n                                                     Refer To: K. Killam 2-5727\n\nMEMORANDUM\n\nDate:    December 19, 2006\n\nTo:      Inspector General\n\nFrom:   Regional Commissioner\n        Atlanta\n\nSubject: General Controls Review of the Florida Division of\n         Disability Determinations Claims Processing System\n         (A-14-06-16023) \xe2\x80\x93 Revision\n\nWe responded to the above draft audit report on November 28, 2006. Our response to\nthe 2nd recommendation regarding the installation of an environmental control alarm\nsystem indicated that we did not agree with the recommendation. Our response dealt\nwith the installation of an environmental suppression system, which we believed was\nnot cost effective. However, in the interim, we realized that OIG was recommending the\ninstallation of an environmental control system and not a suppression system.\n\nOur updated response is as follows:\n\n2. Recommendation: Continue to pursue the installation of an environmental\n   control alarm system to prevent or mitigate damage within the computer room\n   and interruptions in service.\n\nWe agree with this recommendation. We are requesting funding for the installation of\nan environmental control alarm system to prevent or mitigate damage within the\ncomputer room. The Regional Office will work with the Florida DDS to ensure that this\nsystem is purchased and installed this fiscal year. Issue is on-going until the control\nalarm system is installed.\n\nYour staff may direct questions to Josie Irwin at (404) 562-1407 or Karen Killam at (404)\n562-5727.\n\n                                         Paul D. Barnes\n\ncc: James McHargue\n    Paul Buehler\n    Josie Irwin\n\x0c                                                                      Appendix E\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n   Kitt Winter, Director, Data Analysis and Technical Audits Division, (410) 965-9702\n\n   Albert Darago, Audit Manager, Application Controls Branch (410) 965-9710\n\nAcknowledgments\nIn addition to those named above:\n\n   Alan Lang, Senior Auditor\n\n   Annette DeRito, Writer-Editor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Specialist at (410) 965-3218. Refer to Common Identification Number\nA-14-06-16023.\n\x0c                            DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform and\nOversight\nChairman and Ranking Minority Member, Committee on Governmental Affairs\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\nHouse of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Resource Management (ORM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                        Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                   Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                              Office of Resource Management\nORM supports OIG by providing information resource management and systems security. ORM\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, ORM is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c'